With all of the data they have about us, the U.S. tech giants (Facebook, Google, Amazon, etc) wield market power that other companies can only imagine. It is easy for that imagination to run wild, as companies consider how similar insights could transform their own business. The allure of bigger data, better machine learning, and more powerful analytics may stem from a vision for the future or perhaps a fear of falling behind. Either way, the market for data on consumers is thriving. A slew of companies have capitalized on the mining and brokering of this data.
We consumers may grow to expect some data tracking. However, we may not realize that our healthcare data, collected behind the safely closed doors of our doctor’s office, travels through many hands for the profit of others.
Note: In the visual above, we have done our best to trace the web of connections, but our map is not comprehensive. Please reach out with suggestions, insights, or questions.
Within the healthcare system, patient health information (PHI) must be de-identified when traded, as mandated by HIPAA. But it does not prohibit the sale of your data, require that your health data is only used for your health care, or protect your health data outside of the health system. In fact, consumer companies such as DNA testing and analysis services are not required to de-identify your data if they sell it to data brokers.13 Even de-identified, data miners and brokers use systems that replace your name, SSN, and a few other “identifying” data with a unique code in order to create a longitudinal record of your health.
Re-identifying de-identified profiles has become much easier since the HIPAA laws were first established. It is easy to imagine how combining information such as GPS data with past appointment times and dates would pinpoint an individual. Past studies have found that “63% of the population can be uniquely identified by the combination of their gender, date of birth, and zip code alone.”3
Many companies value health-related data whether it’s de-identified or directly linked to patient names and addresses. For some of these purposes, we patients may have zero objections. Some patients are eager to share data with researchers if it supports a cure for them or their legacy. Patients may object to other uses of their health data such as targeted advertising or profiling. However, the missing thread across all of these uses is patient consent.
We patients need ownership over our health data, which is often the most sensitive information about our lives. We need authority over its access and use. At the very least, we need to know who is using and viewing our data. For those of us who are healthy and in a financial position to entertain a myriad of health/fitness services and organic food, we may not be negatively impacted. If we have any kind of medical condition or are in a similar demographic to those that struggle with their health, we may more strongly feel the intrusion of our privacy and even experience discrimination via profiling.